Secret.get does has the Secret's contents in plaintext in the statefile #2300

mike-chen-samsung · 2023-02-02T20:09:15Z

What happened?

import { Secret } from '@pulumi/kubernetes/core/v1'

Secret.get(...)

If you look at the resource in the statefile, its data will be (encoded) in plaintext under outputs.__inputs.data. This is a security concern! Not only is it unencrypted in state, but it will sometimes show as a diff in pulumi up --diff --refresh

Expected Behavior

As a general rule, I expect that if an outputs.xxx value is encrypted, its corresponding outputs.__inputs.xxx value should be encrypted too

Steps to reproduce

Create a Secret

echo 'apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  USER_NAME: YWRtaW4=
  PASSWORD: MWYyZDFlMmU2N2Rm' | kubectl apply -f -

In your Pulumi code add Secret.get("mysecret", "default/mysecret")
pulumi stack export > state.json
Find the secret in the statefile and see that outputs.__inputs.data is unencrypted (though outputs.data is properly encrypted)

Output of `pulumi about`

CLI          
Version      3.53.1
Go Version   go1.19.5
Go Compiler  gc

Plugins
NAME        VERSION
kubernetes  3.21.3

Host     
OS       darwin
Version  11.6
Arch     x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

The text was updated successfully, but these errors were encountered:

thomas11 · 2023-02-03T14:38:09Z

Thank you for the report, @mike-chen-samsung, this sounds indeed concerning. A first glance at the code shows that output.__inputs is supposed to be encrypted.

We'll investigate further today.

thomas11 · 2023-02-03T19:26:32Z

I was able to repro this locally with a default Minikube installation, your instructions above (except stack export instead of state export), and this minimal program:

import * as k8s from "@pulumi/kubernetes";
k8s.core.v1.Secret.get("mysecret", "default/mysecret")

checkpointObject checks for secrets in the input, but in this case the input is of Kind=="Secret" but ContainsSecret() is false. I'm not quite sure yet that this is the best fix but it works in my local repro.

Encrypt secrets in __inputs #2300 `checkpointObject` checks for secrets in the input, but in this case the input is of Kind=="Secret" and ContainsSecret() is false. Also encrypt annotations and stringData in the secret kind case.

thomas11 · 2023-02-07T23:21:28Z

Hi @mike-chen-samsung, the latest pulumi-kubernetes v3.24.0 has this fixed. Thank you again for reporting it!

mike-chen-samsung added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Feb 2, 2023

thomas11 added impact/security and removed needs-triage Needs attention from the triage team labels Feb 3, 2023

thomas11 mentioned this issue Feb 3, 2023

Fix for __inputs secrets #2300 #2301

Merged

thomas11 closed this as completed in #2301 Feb 6, 2023

pulumi-bot added the resolution/fixed This issue was fixed label Feb 6, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secret.get does has the Secret's contents in plaintext in the statefile #2300

Secret.get does has the Secret's contents in plaintext in the statefile #2300

mike-chen-samsung commented Feb 2, 2023 •

edited

thomas11 commented Feb 3, 2023

thomas11 commented Feb 3, 2023

thomas11 commented Feb 7, 2023

Secret.get does has the Secret's contents in plaintext in the statefile #2300

Secret.get does has the Secret's contents in plaintext in the statefile #2300

Comments

mike-chen-samsung commented Feb 2, 2023 • edited

What happened?

Expected Behavior

Steps to reproduce

Output of pulumi about

Additional context

Contributing

thomas11 commented Feb 3, 2023

thomas11 commented Feb 3, 2023

thomas11 commented Feb 7, 2023

mike-chen-samsung commented Feb 2, 2023 •

edited

Output of `pulumi about`